diff --git a/cmd/ctr/commands/commands.go b/cmd/ctr/commands/commands.go
index 9156b0b13..0d831f150 100644
--- a/cmd/ctr/commands/commands.go
+++ b/cmd/ctr/commands/commands.go
@@ -155,6 +155,10 @@ var (
 			Name:  "seccomp",
 			Usage: "enable the default seccomp profile",
 		},
+		cli.StringFlag{
+			Name:  "seccomp-profile",
+			Usage: "file path to custom seccomp profile. seccomp must be set to true, before using seccomp-profile",
+		},
 	}
 )
 
diff --git a/cmd/ctr/commands/run/run_unix.go b/cmd/ctr/commands/run/run_unix.go
index 8ab81c4e0..07809f5cb 100644
--- a/cmd/ctr/commands/run/run_unix.go
+++ b/cmd/ctr/commands/run/run_unix.go
@@ -20,6 +20,7 @@ package run
 
 import (
 	gocontext "context"
+	"fmt"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -185,9 +186,21 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 		if context.Bool("net-host") {
 			opts = append(opts, oci.WithHostNamespace(specs.NetworkNamespace), oci.WithHostHostsFile, oci.WithHostResolvconf)
 		}
-		if context.Bool("seccomp") {
-			opts = append(opts, seccomp.WithDefaultProfile())
+
+		seccompProfile := context.String("seccomp-profile")
+
+		if !context.Bool("seccomp") && seccompProfile != "" {
+			return nil, fmt.Errorf("seccomp must be set to true, if using a custom seccomp-profile")
 		}
+
+		if context.Bool("seccomp") {
+			if seccompProfile != "" {
+				opts = append(opts, seccomp.WithProfile(seccompProfile))
+			} else {
+				opts = append(opts, seccomp.WithDefaultProfile())
+			}
+		}
+
 		if cpus := context.Float64("cpus"); cpus > 0.0 {
 			var (
 				period = uint64(100000)