Somebody once gave me the advice that my first hire as a Security Lead shouldn't be an in-house penetration tester, because that's the one part of security you can reliably outsource.
I was biased against this, because I have been that in-house penetration tester before. As I reflected on those jobs, I realized that my role quickly shifted every time. Getting an external penetration test generally covered that need pretty well.
As a company grows, the need to bring certain functions in-house becomes apparent. If a startup is looking to an enterprise as a role model on how to structure their security team, they'll miss out on certain functions that are better suited to being outsourced at the earlier stages of a company.
As a rule of thumb, any security role which requires someone who is a dedicated specialist can generally be outsourced at an early stage startup. Many exceptions apply, and your mileage may vary.
Penetration testing should be a relatively small part of a Security Engineer's role at an early stage company. It's far less money, and far more effective, to hire a team of experts once or twice per year to come break your product apart.
An internal hire should focus instead on the things which require human relationships and a deeper understanding of the context, process, people, and strategies. This means everything from reviewing design documents, technical proposals, and pull requests. This also means triaging vulnerabilities reported by sources with less context, such as outside firms or automated tooling, to ensure that only valid issues need to be addressed by engineers.
At Vanta we use Doyensec for our penetration tests.
Detection and Response
Responding to security alerts is an operationally intensive task. Doing so at night and over the weekend can be brutal, unless you're ready to scale out a Security Operations Center for 24/7/365 coverage. Even then, burnout is a hazard of the job.
You can significantly reduce this burden by using a managed detection and response service. They'll triage alerts, and perform their own detections, and have a human verify the applicability at all times, day or night. Then you and your team are only getting paged when you have a verified incident to handle.
At Vanta, we're using Red Canary for this. I've also heard good things about Expel.
Note: Your team should still do Tabletop Exercises to prepare to handle real-world incidents detected by these managed services.
You may find that you're early enough to start thinking about security, but aren't sure if you should be hiring your first full-time employee in that area yet.
There are some companies, like Latacora, which come in at this stage. They build out a full-fledged security program, and eventually hire you a security lead to take it over.
This can be a great option with a ton of flexibility.
To sum things up, if you can find a high quality managed service provider for the role you're considering, you should take that option seriously. Using a third-party can give you far more agility. At the early stages of a company, things can change in big ways very quickly, and the more agile your security program is, the better.