Your SBOM Tells You What's Vulnerable. It Doesn't Tell You How Long It Will Stay That Way. Imagine your team runs a dependency scan before a release. Two hundred warnings. You triage by CVSS score — fix the criticals, document the highs, accept the mediums. You ship. Six weeks later, a medium-severity advisory that was already disclosed before your release date gets exploited in production. The maintainer was a solo developer. He'd acknowledged the CVE in a GitHub issue. There was even a draft fix — it just hadn't shipped. Your scanner knew the package was vulnerable. It didn't know whether a fix was coming in three days or three quarters. You found out the hard way. That scenario is not exotic. It describes the gap that no current security tool addresses: not whether a vulnerability exists, but how long that vulnerability will remain the most current reality for your production system.…