In an approach, an intermediary guest manager operates within a virtual machine hosted by a host machine and managed by a hypervisor. The intermediary guest manager manages one or more guest operating systems operating within the virtual machine and implements one or more security services for the guest operating systems. The security services provided to the guest operating systems may include system call filtering, memory protections, secure memory dumps, and others. In some cases, the intermediary guest manager consults a threat defense policy which contains a number of records, where each record has one or more triggers representing suspicious activity and one or more actions to take in response to being triggered. When the intermediary guest manager identifies a request, such as a system call or memory access, that meets the trigger of a particular record, the intermediary guest manager executes the associated actions to remediate the suspicious activity.