A system that includes a hypervisor configured to communicate packets comprising virtual machine operating characteristics metadata for guest virtual machines. The system further includes a virtual vault machine comprising a hypervisor device driver, a hypervisor device driver interface, and an analysis tool. The hypervisor device driver is configured to receive a packet comprising virtual machine operating characteristics metadata for a guest virtual machine and to communicate the virtual machine operating characteristics metadata to an analysis tool using the hypervisor device driver interface. The analysis tool is configured to correlate the virtual machine operating characteristics metadata to one of a cluster of known healthy guest virtual machines or a cluster of known compromised guest virtual machines using a machine learning algorithm and to classify the guest virtual machine.