the most important rule is that the costs of the audit (the pentest is included here) do not exceed the potential losses when opening a potential problem. + it is necessary that after the audit the found holes will not close by themselves in order to get rid of them, you need your own specialists (or you will have to turn to a third-party company again). after you calculate the costs, you can already think about whether you need it.

The main question is what will you do with the results? Well, they find a bunch of things, you rush to fix everything? It can cost much more than 100K. And if not, why testing?
More important questions. What does a "micro-enterprise" do? How did you initially approach the issue? Do you have your own specialist? Is there a threat model?

A "full" test is called an audit, not a pentest. Pentest, as a rule, shows what an attacker can find in a fixed time, and audit involves a deep study of systems, software, equipment, and their interaction.
I advise you to start by discussing your systems and building a threat model with a dedicated consultant. I recommend contacting https://dsec.ru/

The main thing is to clearly set goals and understand the goals that you are pursuing.
Do you need help fixing vulnerabilities/holes?
But I would not advise contacting Kontur, etc., these offices most often use outsourcing (we know, since we are performers).
Contact us, we will help you with a free consultation - [email protected]

Well, then order from trusted and reliable ones. I hope you have no doubts about Doctor Web's competence? Request com. proposal, maybe not so scary. https://antifraud.drweb.ru/expertise/scope