I work for SMB of about 200 users and 8 websites. I'm by no means an expert and am just a jr sysadmin who has been with this company about three years now, so i'm somewhat familiar with the environment.
We are looking to pentest our ecommerce websites and i have some discovery calls with a couple of companies to see which one is best for us. Besides PCI compliance scans I don't have any experience with this sort of thing. Our web guys are pretty decent but this is our first real forray into pen testing.