After a heuristic event counter in a processor has triggered a performance monitoring interrupt (PMI) when the processor was executing a target program in user mode, and after the processor has switched to kernel mode in response to the PMI, a heuristic event handler automatically performs preliminary analysis in kernel mode, without switching back to user mode, to determine whether heavyweight code analysis is warranted. The preliminary analysis comprises (a) obtaining an instruction pointer (IP) for the target program from a last branch record (LBR) buffer in the processor, (b) using transaction hardware in the processor to determine whether the IP from LBR buffer points to a readable page in memory, and (c) determining that heavyweight code analysis is not warranted in response to a determination that the page pointed to by the IP from LBR buffer is not readable. Other embodiments are described and claimed.