Traditionally we've used the term Targeted Attack or CNE (meaning Computer Network Exploitation), but people tend to ask what that is. I die a little inside when I use the APT term, but people who get it, get it, and people that listen to marketers (rightfully) act suspicious.

The attacks are real and have been going on since the 90s, but it's not as clean cut as people make out. The primary distinguishing factor is the 'P' for persistence, not necessarily the 'A'. Anyone selling on a "don't let this happen to you" message is obviously selling bunk. You're either a target or not for this stuff, and that depends on a whole load of factors. If you're not a target then your biggest similar threat is probably broad malware attacks (more associated with botnets) or unfocused criminal activity. If you're susceptible to APT, it's because you've already been hit. That's why "don't let this happen to you" doesn't work - it will happen, and it will happen again. The trick is to detect it and kick the buggers out before they cause any (qualified) damage.

You make an interesting point about App Pen Tests. I'm surprised that you say that it rarely pivots. We do all the time. We routinely face people who say Cross-Site Scripting isn't an issue, until we show them different ways of attacking their users - as opposed to the dull alert('XSSLOL');

Likewise for SQL injection I certainly find that breaking in and hunting around leads to all kinds of things you otherwise wouldn't see. If you're not trying to break in, it's not really a 'Penetration' test as much as the app equivalent of a Vulnerability Assessment.