You can't really take this approach. The really good hackers will use anything and everything to try and get into your server if they are determined enough.And just pen testing ? KPMG sounds a bit expensive.
Just need to pen test one of our servers for compliance , there must be someone local who offers this service .
I have googled , there are a few , but I would really like a recommendation