The tactic is something like a strike/counter-strike battle plan, and as such there are casualties. For instance, once a program is limited to locations X and Y it may begin to store data there that doesn't belong, which in turn could cause a server crash. But the security system learns as it goes, narrowing the space that the malicious program has to maneuver while figuring out what countermeasures are most effective. So a site that has dozens of servers will lose a few during the opening salvo of the attack, but in doing so the security system learns the enemy's M.O. and engineers a fix for the remaining servers, sometimes in a matter of seconds.