A pentest would ALWAYS be of value. But, whether or not it would make a difference immediately, knowing you've been compromised already, is the key.
Forensics is often the fastest (and should be the immediate first step) way to determine how the current compromise happened, but might not give all the details, so following up with / in conjunction with a pentest (in this case, informed about what the forensic activities found, so you can be on extra lookout for said vulnerability and how they exploited it) would be a logical value add to the forensic actvities.
Obviously you have to better your security posture through remediation and recommended / continued testing, at regularized intervals (or not so regular, as well, to keep folks sharp.) But those are secondary to, as ziggy_567 noted, the immediate activities of triage.
In short, all the above would be prudent, but the first concern should be determining the immediate cause and effect of the current compromise.
~ hayabusa ~
"All men can see these tactics whereby I conquer,
but what none can see is the strategy out of which victory is evolved."
- Sun Tzu, 'The Art of War'
OSCE, OSCP (Former - GPEN, C|EH - both expiring / expired)