IOWA, USA — The state of Iowa paid a Colorado-based security company to test and try to break into a county courthouse, KDVR reports. Once the men were successful in doing so, they were arrested.

Two employees with Coalfire were paid to hack the system to expose vulnerabilities and improve other potential security issues. Now, the two men have been charged with burglary -- even though the Iowa Judicial Branch hired them to break in.

"I think when a common individual looks at this, you'd look at this and say this is insane," Tom McAndrew, the CEO of Coalfire told KDVR. "To be honest, it's totally absurd what's going on."

Apparently, the Iowa Judicial Branch signed the contract to green-light the operation but didn't alert the county that owns the courthouse. Then, they tripped an alarm at the courthouse on Sept. 11, according to the Des Moines Register.

The charges against the employees have since been reduced but not dropped, CNBC reports. They've pleaded not guilty.

An Iowa supreme court justice reportedly apologized to a state Senate committee, but some legislators have complained the tests left the public in "danger."

Some of the more common security efforts for courthouses and other government agencies include penetration tests, otherwise known as pen tests. Pen tests are meant to test facilities to see how easily sensitive data or equipment can be broken into.

"It's not totally unusual to have police involved, in a pen test, but it is unusual for security professionals to get arrested," Coalfire CEO Tom McAndrew told CNBC.

With the lead-up to the upcoming 2020 elections, cybersecurity expert Casey Ellis expressed to CNBC concerns the arrests could complicate efforts to secure election and voting facilities.

"People that build systems, whether they can be computer networks or they can be physical buildings, it has a primary function, and the people building it aren't necessarily thinking about security," Ellis told CNBC. "I can only see the need for this accelerating."

Ellis is pushing for creating "safe harbors" for researchers to help expose vulnerabilities with an open-source project he calls "Disclose.io."

