This year marks the fifth anniversary of Project Zero, an applied security research team at Google that aims to "make 0day hard". It has been a tumultuous and exciting journey so far, and we've managed to explore a huge range of weird and wonderful attacks. Full-chain browser exploits. Remote WiFi firmware attacks. The trials and tribulations of Flash! Kernel and userland privilege escalation for Linux, Windows, macOS, chromeOS, iOS, and Android. Hypervisor escapes. Oh, and something about speculative execution...We've published a dizzying array of vulnerabilities and exploits. But why? How? And what does this all mean for user security? This presentation gives a behind-the-scenes look at Project Zero's work, and a retrospective assessment of the impact this work has had. We'll look at why a team like Project Zero is needed in the first place, and some of the core principles that we use to make decisions. We'll dive into some of the classic hits from Project Zero's portfolio, and share some of the technical insights that result. And finally, we'll share some of the lessons learned, and a sketch for the next five years of Project Zero.