How advanced is brute force password cracking nowadays?

Recently I received an email from my company's IT department and they were working with a third party to test password strength. They claimed that they were able to brute force my password, which was 18 characters, upper and lowercase letters, numbers, and special characters.

I was under the impression that this is fairly secure from brute force. Are they probably using a hybrid approach like with dictionary attacks or something?

advanced attacks brute characters cracking department email hybrid letters numbers party password password cracking password strength privacy special strength test third under working