diff --git a/cli/src/cli.rs b/cli/src/cli.rs
index b775bb6b77ad..a45f45d35737 100644
--- a/cli/src/cli.rs
+++ b/cli/src/cli.rs
@@ -118,6 +118,10 @@ pub struct RunCmd {
 	#[arg(long)]
 	pub beefy: bool,
 
+	/// Allows the validator to run insecurely if they know what they're doing.
+	#[arg(long = "insecure-validator-i-know-what-i-do", requires = "validator")]
+	pub insecure_validator: bool,
+
 	/// Add the destination address to the jaeger agent.
 	///
 	/// Must be valid socket address, of format `IP:Port`
diff --git a/cli/src/command.rs b/cli/src/command.rs
index 2f0bc9e2f856..96b80a3ff57e 100644
--- a/cli/src/command.rs
+++ b/cli/src/command.rs
@@ -303,6 +303,12 @@ where
 		return Err(Error::Other("BEEFY disallowed on production networks".to_string()))
 	}
 
+	if cli.run.base.validator && !cli.run.insecure_validator {
+		if let Err(e) = can_run_as_secure_validator() {
+			return Err(Error::InsecureValidator(e))
+		}
+	}
+
 	set_default_ss58_version(chain_spec);
 
 	let grandpa_pause = if cli.run.grandpa_pause.is_empty() {
@@ -732,3 +738,17 @@ pub fn run() -> Result<()> {
 	}
 	Ok(())
 }
+
+/// Returns an error if a secure validator cannot be built for the target OS and architecture.
+fn can_run_as_secure_validator() -> std::result::Result<(), String> {
+	#[cfg(not(target_os = "linux"))]
+	let result = Err("Must be on Linux to run a validator securely.".into());
+
+	#[cfg(all(target_os = "linux", not(target_arch = "x86_64")))]
+	let result = Err("Must be on x86_64 to run a validator securely.".into());
+
+	#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
+	let result = Ok(());
+
+	result
+}
diff --git a/cli/src/error.rs b/cli/src/error.rs
index a4591e2508c9..289ae7575c06 100644
--- a/cli/src/error.rs
+++ b/cli/src/error.rs
@@ -57,4 +57,7 @@ pub enum Error {
 
 	#[error("This subcommand is only available when compiled with `{feature}`")]
 	FeatureNotEnabled { feature: &'static str },
+
+	#[error("Insecure validator: {0} Run with --insecure-validator-i-know-what-i-do if you understand and accept the risks of running insecurely.")]
+	InsecureValidator(String),
 }