An anti-exploitation application identifies and prevents a malicious action from occurring on a client. To do so, a monitoring system instantiated on the kernel of the operating system of the client. The monitoring system stores information describing actions taken by the processor. When the monitoring system detects a triggering action, it sends the triggering action to the anti-exploitation application to determine whether the triggering action is an exploitation action. The anti-exploitation application accesses an evidence set for the triggering action and its related actions. The anti-exploitation application generates an execution hierarchy defining the hierarchical relationships between the triggering action and its related actions and tests the hierarchy against a ruleset of grammatically structured rules. If a grammatically structured rule in the ruleset indicates that the triggering action is an exploitation action, the anti-exploitation application takes a prevention action.