A processor supports programmable control, by a trusted layer of a virtual machine (VM), of the interception of events at the processor. The trusted layer of the VM programs security control information (e.g., a control register or other control structure) that designates particular events that are to be intercepted when triggered by another layer of the VM. In response to detecting a designated event, system hardware intercepts the event, rather than executing the event. The VM is thereby able to protect confidential information and program behavior without relying on a hypervisor, thus improving overall system security.