I can only speak to a very specific example that I setup and ran at my last job for a SOC 2 annual pen test. We used a service called Cobalt Core (not affiliated), but they're kind of like UpWork for pen testers.

Aside from that, I'd imagine the general process is very similar. You define your parameters on what they're looking for, where to look for it, and what not to do. First thing I'd say is to make sure you have an isolated staging environment for them that they can attack without you disturbing them or them disturbing you.

If there are any parts of your code base that you're specifically concerned about, ask them to focus there! The goal of a pentest is to find what's broken (which it seems you're already on board with). An old CEO of mine wanted us to pass the pentest, not actually gain value from it... Take advantage of the fact they have people who know more than you and I (hopefully) to try and compromise the application.

They should give a nice write up with details on what they found and I've had a good experience asking them questions about solutions and future prevention.

I'm sure quality varies, but I wouldn't be surprised if the majority of what gets done for the average pentest are the same list of scripts that try to abuse Django admin and such, so I can't really speak to other qualities. Lots of injection focused attacks, but can't hurt for them to try.

You're better off doing a private bug bounty through bug crowd or hackerone.

Pentests are point in time assessments. Usually with one to two testers, with limited scopes of expertise.

Bug bounties can bring in hundreds of testers with a wide breadth of expertise that continuously test.