"Highest vulnerabilities" findings from pentesters are different from Rapid7's

Hi everyone, 

Our company just has a pen testing performed by an external security auditing team. Their list of "Top 10 vulnerabilities" is much different from "the highest vulnerabilities" list by Rapid7 (our internal scanner). The 2 lists share only 2 vulnerabilities, the rest are completely different ones. The pen testing was a black box, their scan is non-credentialed. In contrast, our internal scanning is credentialed. I wonder which "top vulnerabilities" list should we focus our remediation on. Should we …

auditing cybersecurity external findings internal list lists pen pen testing rapid7 rest scanner security security auditing share team testing top 10 vulnerabilities