pure brute force attacks arent really a thing anymore,mostly because of time and said systems.

instead you have avariatino of it by acquiring the database of the target you can attempts to brute force the passwords listed there. this bypasses lockout features because you are not interacting with the login systme directly anymore.

instead of trying every single character combination, you limit your search to every single known word aka: a dictionary attack.