- Have you coded against malicious input?
- Does your code intentionally stop the various types of cross-site scripting?
- Have you done a code audit to check that this is the case?
I'm probably skipping over a bunch of other things you can do to make a site more secure, but you may want to consider the above before talking about penetration testing.
Getting broken into by a penetration tester means that your site is in some way insecure.
Not getting broken into doesn't mean that your site is secure - there could be a vulnerability that the pen company didn't know about.
I would suggest maybe following some of the blog thought about computer security (I follow Bruce Schneier, Coding Horror has some good posts occasionally, ymmv).
That and pen tests by a company cost money.