The technology disclosed herein enables a hypervisor to send a security policy to a virtual machine, which may use the security policy to validate system call invocations requested by a guest operating system. The system call invocations may be validated prior to being received by the hypervisor. The hypervisor may also validate system call invocations that are successfully validated by the virtual machine. An example method may include: identifying, by a hypervisor on a host machine, a security policy associated with a virtual machine, wherein the security policy specifies one or more validation rules, causing, by the hypervisor, the security policy to be imported into a guest operating system of the virtual machine from the hypervisor, and responsive to receiving, by the guest operating system, a first request to perform a system call, validating, by the guest operating system, the first request in accordance with the validation rules.