diff --git a/python/.changelog.d/4000.added b/python/.changelog.d/4000.added
new file mode 100644
index 000000000..a3a31bd6d
--- /dev/null
+++ b/python/.changelog.d/4000.added
@@ -0,0 +1 @@
+Added ability to set Optiga's security event counter to maximum: `trezorctl debug optiga-set-sec-max`.
diff --git a/python/src/trezorlib/cli/debug.py b/python/src/trezorlib/cli/debug.py
index e262b1fea..50613a04e 100644
--- a/python/src/trezorlib/cli/debug.py
+++ b/python/src/trezorlib/cli/debug.py
@@ -21,6 +21,7 @@ import click
 from .. import mapping, messages, protobuf
 from ..client import TrezorClient
 from ..debuglink import TrezorClientDebugLink
+from ..debuglink import optiga_set_sec_max as debuglink_optiga_set_sec_max
 from ..debuglink import prodtest_t1 as debuglink_prodtest_t1
 from ..debuglink import record_screen
 from . import with_client
@@ -112,3 +113,10 @@ def prodtest_t1(client: "TrezorClient") -> str:
     Only available on PRODTEST firmware and on T1B1. Formerly named self-test.
     """
     return debuglink_prodtest_t1(client)
+
+
+@cli.command()
+@with_client
+def optiga_set_sec_max(client: "TrezorClient") -> str:
+    """Set Optiga's security event counter to maximum."""
+    return debuglink_optiga_set_sec_max(client)
diff --git a/python/src/trezorlib/debuglink.py b/python/src/trezorlib/debuglink.py
index b7631fcd7..5786e1590 100644
--- a/python/src/trezorlib/debuglink.py
+++ b/python/src/trezorlib/debuglink.py
@@ -1362,3 +1362,8 @@ def record_screen(
 def _is_emulator(debug_client: "TrezorClientDebugLink") -> bool:
     """Check if we are connected to emulator, in contrast to hardware device."""
     return debug_client.features.fw_vendor == "EMULATOR"
+
+
+@expect(messages.Success, field="message", ret_type=str)
+def optiga_set_sec_max(client: "TrezorClient") -> protobuf.MessageType:
+    return client.call(messages.DebugLinkOptigaSetSecMax())