Systems, apparatuses and methods may provide for technology that stores a security monitor at a first location in an address space, wherein the security monitor is to control requests to use a security-critical instruction at a second location in the address space, and wherein the second location is in the first set of locations. The technology also installs a control instruction at an entry point to the security monitor, wherein the control instruction is to restrict indirect branch targets, and excludes the control instruction from all locations in the first set of locations that are not entry points.