Even small organizations face the risk of being attacked. While the risk increase with the value of your assets and your exposure to organized groups it’s not the case that just because you don’t think you’re a target that you will be safe.
When organizations build their systems they are usually feature driven. Having some external party check the security of your systems with an attacker mindset usually brings up issues that have never been adressed and leave you at risk for compromise.
I am a certified pentester (OSWP, OSCP, OSCE, OSWE) and have experience in attacking systems. I combine that with more high level skills (CSSLP, CISSP) that allows me to not only go for technical weaknesses in systems, but understand how to bring organizations to a state where security is the default rather than the exception.
There are many great vulnerability assessment systems and they have their value. But in my experience a creative mindset is a better gauge of security instead of just running a scanner (which could still be part of an overal strategy to secure your business).
Pentest give you an impression of the security of your system. They’re efficient since with a experienced pentester many different vectors can be tried in parallel. Real attackers don’t act like this. If you want to secure yourself against advanced threats you have to test the security of you system under realistic conditions. Based on the results of this you then start to improve your security posture and try new, more advanced attacks until.
I can act as a red/purple team member to bring an external view into your team.