It's still a "loss" from the defenders perspective even if someone can't compromise other systems. The defenders still need to assess the damage, fix the vulnerability, and verify that nothing was compromised regardless of what protections are in place.
For example, maybe the attacker is after trade secrets but compromises the CMS (content management system) of your public website. It has no connection to your intranet, but they were able to change download links and inject scripts for visitors of your website. Still a "win" as they now have a place to pivot from or just use to their liking. It gives the attacker options while your system is left weakened with less options.
For example, maybe the attacker is after trade secrets but compromises the CMS (content management system) of your public website. It has no connection to your intranet, but they were able to change download links and inject scripts for visitors of your website. Still a "win" as they now have a place to pivot from or just use to their liking. It gives the attacker options while your system is left weakened with less options.