In this case, Equifax, like many companies, has a large portfolio of applications. As revealed in our OSSRA report, most companies don't do a good job at tracking open source. So unless Equifax had deployed a solution like Black Duck, they probably did not have a complete and reliable inventory of the open source components in use in their applications. Therefore, it's likely that in March, when the vulnerability was disclosed, they didn't even know they were at risk, even if their security team was aware of the vulnerability. Put simply, they were flying blind.
Since the exploits for CVE-2017-5638 were widely available and being used almost immediately after the vulnerability was disclosed, Equifax entered this period of very high risk without knowing it, at the same time that hackers were actively scanning and probing to find websites and applications that were vulnerable. If this is the case, the door was "unlocked" until they discovered the breach over four months later.
Whatever regulatory rules apply to the specific app probably required them to confirm if any data was accessed, which is when they brought in the forensics team. Given the 2017 Cost of Data Breach Report from the Ponemon Institute stated an average of 206 days to identify and contain a breach, this timeline shows Equifax is actually above average in their response time.