The most prominent threat actors are known as Advanced Persistent Threats (APT), which are highly skilled groups of adversaries, sponsored by nations, organised criminal or corporate groups. They are called persistent because their operations can remain undetected on compromised networks for long periods.
Nation-sponsored-groups primarily target critical infrastructure, financial organisations, government institutions, other nation-sponsored-groups and all kinds of NGO’s and activist groups not agreeing with their actions.
Criminal groups are just after money and resources. They attack civilians and businnesses but avoid attacking governments’ crown jewels. It may seem to be per silent agrement.
Corporate-sponsored-groups mostly target NGO’s and activists defending land and rights, because really, just like criminal groups, they are after money and the resources of others (most likely in another nation per agreement with its government, but not with the civilians).
If people are affected by an APT, would they be prepared to respond effectively? Could they detect the methods used to gain and maintain access if the adversary has been there for several months? What if the initial access was obtained because someone opened a suspicious email attachment? What if a zero-day exploit is used? Do courses and penetration tests prepare for these things?
Conventional pentesting covers the finding of most technical vulnerabilities. The limitations on such processes include time and budget constraints, a limited scope, every effort being made to make the tests as non-disruptive as possible, and having a heavy IT focus.
Real adversaries do not follow such ethical codes and are mostly unrestricted in their actions.